← Back to Skills Marketplace
352
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install tweet-monitor-pro
Description
Fetch X/Twitter tweets, replies, and timelines without login or API keys. Also supports Chinese platforms (Weibo, Bilibili, CSDN, WeChat).
Usage Guidance
Do not install or enable this skill blindly. Before using: 1) Ask the author for the repository and full source of the referenced x-tweet-fetcher and fetch_tweet.py; inspect that Python script for malicious behavior and network endpoints. 2) Verify why the skill calls /root/.openclaw/workspace/... — running scripts from /root is unusual; confirm intended install location and run as non-root in a sandbox first. 3) Have the maintainer remove shell-join exec usage or confirm proper input sanitization; current execSync(args.join(' ')) can be exploited via crafted URLs/usernames. 4) If you plan to enable billing, only set SKILLPAY_API_KEY/SKILLPAY_SKILL_ID after verifying server-side billing endpoints and code path that uses them. 5) If unsure, run the skill in an isolated environment, or request a version that bundles/declares its dependencies (or uses execFile/spawn with sanitized args) and documents required binaries and config paths. These steps will reduce the risk of accidental command execution, credential leakage, or unexpected filesystem access.
Capability Analysis
Type: OpenClaw Skill
Name: tweet-monitor-pro
Version: 1.0.0
The skill contains a critical command injection vulnerability in index.js, where user-provided parameters (url, username, baselineFile) are passed unsanitized to execSync via string concatenation. It also relies on a hardcoded absolute path to a script located in /root/.openclaw/workspace/skills/x-tweet-fetcher/scripts/fetch_tweet.py, which is not included in the bundle and suggests irregular environment dependencies. While the skill claims to have a commercial subscription model, the upgrade logic is purely local and lacks actual payment verification, which is misleading but not definitively malicious.
Capability Assessment
Purpose & Capability
The README/SKILL.md promise 'zero-dependency' single-tweet fetches, yet index.js calls a Python script at a hard-coded path (/root/.openclaw/workspace/skills/x-tweet-fetcher/scripts/fetch_tweet.py) and requires python3 to be present. That external dependency is not declared anywhere in the manifest or SKILL.md (the docs mention Camofox but not x-tweet-fetcher). The hard-coded /root path and implicit dependency on another skill/tool contradict the stated 'no dependencies' claim.
Instruction Scope
SKILL.md does not describe the code's runtime behavior in detail: index.js uses child_process.execSync to run external scripts and reads/writes a quota DB (quotas.json or path set by QUOTA_DB env var). execSync is invoked via building a single shell string (args.join(' ')), which makes the skill vulnerable to shell injection if inputs (url, username, baselineFile) are not sanitized. The code also assumes access to filesystem paths under /root, which is outside the skill's own directory and not mentioned in SKILL.md.
Install Mechanism
There is no install spec (instruction-only with an included index.js). That's lower risk in principle, but the code depends on an external Python script from a different skill path. SKILL.md suggests installing Camofox (via a GitHub repo) for advanced features, but does not instruct installing or verifying the x-tweet-fetcher Python script that index.js actually executes. The missing install/ownership information for that external script is a red flag.
Credentials
manifest and metadata claim no required env vars, but index.js reads process.env.QUOTA_DB (optional) and SKILL.md/README reference SkillPay env vars (SKILLPAY_API_KEY, SKILLPAY_SKILL_ID) for billing integration. Those env vars are not declared in requires.env, and the code does not implement SkillPay logic — this mismatch is suspicious. Also the code implicitly requires python3 and write permission to its quota DB path (possibly under /root).
Persistence & Privilege
The skill is not 'always: true' and is user-invocable (normal). It writes a quota DB (quotas.json) in its directory by default or to QUOTA_DB if set — that is reasonable for quota tracking. However, it assumes filesystem access to /root/.openclaw/workspace/... to run the external script, which implies elevated or cross-skill access assumptions; this should be verified before install.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tweet-monitor-pro - After installation, invoke the skill by name or use
/tweet-monitor-pro - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Fetch X/Twitter tweets without API. Free tier 10 calls, Pro .9/mo (1000 calls), Business .9/mo (unlimited).
Metadata
Frequently Asked Questions
What is Tweet Monitor Pro?
Fetch X/Twitter tweets, replies, and timelines without login or API keys. Also supports Chinese platforms (Weibo, Bilibili, CSDN, WeChat). It is an AI Agent Skill for Claude Code / OpenClaw, with 352 downloads so far.
How do I install Tweet Monitor Pro?
Run "/install tweet-monitor-pro" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Tweet Monitor Pro free?
Yes, Tweet Monitor Pro is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Tweet Monitor Pro support?
Tweet Monitor Pro is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Tweet Monitor Pro?
It is built and maintained by hejiubot (@hejiubot); the current version is v1.0.0.
More Skills